ww.sciencedirect.com

i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7

Available online at w

www.compseconl ine.com/publ icat ions/prodinf .htm

Server-aided signatures verification secure againstcollusion attack

Sherman S.M. Chow a,*, Man Ho Au b, Willy Susilo b

aDepartment of Information Engineering, Chinese University of Hong Kong, Hong KongbUniversity of Wollongong, NSW, Australia

Keywords:

Server-aided computation

Collusion attack

Signatures

Pairings

Delegation

Weak computational device

* Corresponding author.E-mail addresses: smchow@ie.cuhk.edu.h

1363-4127/$ e see front matter ª 2012 Elsevhttp://dx.doi.org/10.1016/j.istr.2012.10.007

a b s t r a c t

Wireless handheld devices are increasingly popular. The authenticity of the information or

a program to be downloaded is important, especially for business uses. In server-aided

verification (SAV), a substantial part of the verification computation can be offloaded to

an untrusted server. This allows resource-constrained devices to enjoy the security guar-

antees provided by cryptographic schemes, such as pairing-based signatures, which may

be too heavyweight to verify otherwise.

To gain unfair advantage, an adversary may bribe (or collude with) the server either to

convince that an invalid signature is a valid one or to claim that a valid signature is invalid

(say for providing repudiable information/commitment, or spoiling an opponent’s offer).

However, these concerns are not properly captured by existing models.

In this paper, we infer the meaning behind and point out the subtleties in existing

models; and propose a new model to capture the collusion attack. We also show that two

existing schemes are insecure in their own model. Finally, we provide a generic pairing-

based SAV protocol. Compared with the protocol of GiraulteLefranc in Asiacrypt ’05,

ours provides a higher level of security yet applicable to a much wider class of pairing-

based cryptosystems. In particular, it suggests SAV protocols for short signatures in the

standard model and aggregate signatures which have not been studied before.

ª 2012 Elsevier Ltd. All rights reserved.

1. Introduction 1.1. Server-aided computation of pairing

Server-aided computation protocols are protocols in which

a device, also called the client, offloads the computation to

a server. Nowadays, there aremany computation deviceswith

relatively limited power, e.g., smart card, SIM card, RFID tag,

but need to perform cryptographic operations which are both

time and power consuming. Moreover, there may not be

optimized library for the more-advanced cryptographic oper-

ations, such as pairings.

Server-aided computation protocols are particularly useful

since these devices often have access to a more powerful de-

vice which can act as the server.

k (S.S.M. Chow), aau@uoier Ltd. All rights reserve

Bilinear pairing is an enabling technology for constructing

next-generation cryptosystems. On one hand, it allows the

construction of novel cryptographic applications that are dif-

ficult to build based on other primitives, if not impossible. On

the other hand, it also facilitates the construction of some

highly efficient cryptographic solutions which are particularly

appealing for computationally-limited devices. Pairing is

currently instantiated on elliptic curves. The use of elliptic

curves leads to a shorter-representation of the cryptographic

group elements, so many pairing-based schemes can bemade

space-efficient. An ever increasing number of protocols have

w.edu.au (M.H. Au), wsusilo@uow.edu.au (W. Susilo).d.

i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 47

been appearing in the literature since its introduction. Ex-

amples of the former include identity-based encryption

(Boneh and Franklin, 2003) and attribute-based encryption

(Sahai and Waters, 2005). Examples of the latter include short

signature (Boneh et al., 2004b; Boneh and Boyen, 2008; Zhang

et al., 2004), aggregate signature (Boneh et al., 2003; Lu et al.,

2006) and constant-size broadcast encryption (Boneh et al.,

2005; Delerablee and Kurosawa, 2007), to name a few. Some

of which have a very simple design (e.g., Boneh et al., 2004b;

Boneh et al., 2003) when compared with non-pairing con-

structions. While these schemes may offer high efficiency in

terms of bandwidth or storage requirement, pairing itself is

a relatively heavyweight cryptographic operation. There may

not be optimized library for every platform such as SIM card or

RFID tags. To enjoy the features made possible by cryptog-

raphy, one may resort to a symmetric-key solution instead of

a public-key one (e.g., Chu et al., 2011), or employ tricks such

as precomputation (e.g., Chow et al., 2011). In this paper, we

study the approach of server-aided computation, with focus in

server-aided verification of digital signatures of compact size

which are secure under commonly accepted and black-box

falsifiable assumptions.1

1.2. Batched verification and signature aggregation

Under certain circumstances, conducting computation in

batch rather than individually yields better efficiency. In

Bellare et al. (1998), the concept of batch verification of sig-

natures was first studied. The verifier is assured that all sig-

natures in the batch are valid, yet the verification of many

signatures from the same signer can be sped up by conducting

the verification of equality of modular exponentiations in

batch. Regarding batch verification of pairing-based schemes,

Camenisch et al. (2007) studied batch verification of some

pairing-based short signatures frompossibly different signers,

based on the algebraic property of pairing. Ferrara et al. (2009)

studied batch verification of many more pairing-based short

signatures, which include standard short signatures (Boneh

et al., 2004b; Camenisch et al., 2007), aggregate signatures

(Boneh et al., 2003; Shao et al., 2005; Lu et al., 2006), group

signatures (Boneh et al., 2004a, Boneh and Shacham, 2004),

ring signatures (Boyen, 2007), identity-based signatures (Hess

et al., 2002; Cha and Cheon, 2003; Waters, 2005), and identity-

based ring signatures (Chow et al., 2005).

While batch verification aims at saving computational

overhead, aggregated signatures (Boneh et al., 2003) allow the

saving of bandwidth by compressing of a list of signatures

from possibly different signers and on different messages into

a single signature. The construction in Boneh et al. (2003) is

pairing-based.

1.3. Collusion attack

Server-aided computation of cryptographic operations should

not introduce new vulnerabilities to the application. This is

true if the server is fully-trusted and there exists a secure

1 We remark that there are signature schemes (e.g., Camenischand Lysyanskaya, 2004) which rely on interactive and thus non-black-box falsifiable assumption, such as LRSW assumption.

channel between the server and the client. In this case the

client can simply offload the computation to the server. Un-

fortunately, this trust assumption is not realistic. In reality,

the client could be facing a malicious server, or the client

cannot establish an authenticated connection with a trusted

server easily. (Authenticated connection can be established by

cryptographic means, which leads to a chicken-and-egg situ-

ation.) Moreover, concernswith confidentiality arise when the

operation involves some private information from the client

(e.g., decryption or signing which uses the client’s private key)

or when the operation result gives the basis for the client to

make a decision whether the integrity of some information

(e.g., via digital signature) has been tampered or not.

1.4. Existing work

In the work of Girault et al. (2005), some security requirements

of server-aided verification are formalized. Two existing pro-

tocols are then analysed in their model, and a new one for

a limited class of pairing-based signature schemes has been

introduced (specifically, schemes where the verification re-

quires only comparisons against a fixed element beðg; gÞÞ. Intheir model, a malicious server is not allowed to collude with

the signer. In particular, the security of the protocol relies on

the fact that the malicious server is not given any valid sig-

nature on that message. Subsequently, Wu et al. (2008, 2011)

proposed a SAV protocol for BoneheLynneShacham sig-

nature (Boneh et al., 2004b) since it is not covered in the pre-

vious semi-generic construction. Wu et al. also observed that

the securitymodel of Girault and Lefranc (2005) does not allow

an adversary to interact with the client via the aided ver-

ification protocol, and consequently devised an attack of their

protocol by exploiting this weakness. However, this attack

actually assumes the server to be deviated from the specifi-

cation of the aided verification protocol, which is different

from the models considered in Girault et al. (2005), Wu et al.

(2008, 2011). On the other hand, Wu et al. (2008, 2011) pro-

posed a security model aimed to capture the collusion of the

signer with the server. Recently, Wang et al. (2010) criticized

the model of Wu et al. (2008, 2011) and proposed a new one.

We found that these two models may not model the collusion

attack well. In particular, they do not consider an attacker,

who possesses the private key of the signer, colludes with the

server for convincing the client to accept a maliciously gen-

erated invalid signature. We will critically review the defini-

tions given by Wu et al. (2008, 2011) in Section 3, and discuss

the subtleties in themodelling of collusion attack in Section 4.

1.5. Our contribution

Security model is meant to capture all possible attacks in re-

ality. It is thus important to infer the intuition of a model. We

point out the meaning behind and the subtleties in existing

models; and propose a new security model to capture the

collusion attack. We also show that an existing scheme of Wu

et al. (2008) is insecure in their own model. This is not just

a theoretical concern or an artefact in the security proof. The

attacks can be easily launched in practice. Finally, we provide

a generic construction of SAV. Compared with the SAV pro-

tocol of Girault and Lefranc, ours provides a higher level of

i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 748

security yet can be applied on a much wider class of pairing-

based cryptosystems. In particular, it suggests SAV protocols

for short signatures in the standard model and aggregate

signatures which have not been studied before.

Roadmap In Section 2, we review the framework of server-

aided signatures verification and the cryptographic primitive

involved in this paper. We will also give a concise review of

three short signature schemes and an aggregate signature

scheme in the same section. Our results are presented after

this section. The model and the schemes of Wu et al. (2008,

2011) will be analysed in Section 3. We present our new se-

curity model for signature with server-aided verification pro-

tocol in Section 4, followed by a generic construction of

pairing-based SAV protocol and two classes of concrete in-

stantiations in Section 5. Finally, Section 6 concludes our

paper and identifies future research direction.

2. Preliminaries

2.1. Notations

We explain some notations used in the rest of this paper. We

use ha0;a1;.;ani to denote the set of positive integers. For

a finite set S, x˛RS means choosing an element x uniformly at

random from S. For algorithms A1 and A2, we use out )$

to

denote that out is the result of running A1 on input in, and

out1)A1ðin1Þ4A2ðin2Þ to denote that out1 is the final output of

algorithm A1 with local input in1 after interacting with algo-

rithm A2 with local input in2.

2 Obviously, l here should be the same as that used in Setup;otherwise, mismatch of expected and actual security level mayresult, not to say operational error like overflow.

2.2. Framework for server-aided verification ofsignatures

We first review two existing definitions, then give our

refinement.

Definition 1. A signature scheme is defined by the following

quadruple of algorithms:

� Setup(1l): an initializer probabilistically generates the system

parameter Param according to a security parameter 1l,where l is

a positive integer. Param will be part of the input of the other

algorithms, and will be omitted for brevity.

� KeyGen(): a signer uses this probabilistic algorithm to generate

a private/public key pair (sk,pk). Amessage space and a signature

space should be implicitly defined by pk.

� Sign(sk,m): a signer uses this possibly probabilistic algorithm to

output a signature s by taking the input of a signing key sk and

a message m.

� Verify(pk,s,m). Anyone can use this usually deterministic ver-

ification algorithm which takes the input of a public key pk,

a signature s and a message m. It outputs 1 iff s is a valid sig-

nature on m under pk, 0 otherwise.

Correctness of a signature scheme requires that for all l˛N, all

Param given by Setup(1l) and all ðsk;pkÞ given by KeyGen(), the

equation Verify(pk,Sign(sk,m),m)¼ 1 holds with probability 1 for all

message m in the message space.

Definition 2. A signature scheme (Setup,KeyGen,Sign, Verify) with

server-aided verification is one equipped with a VStetup algorithm

and an AidedVerify protocol.

� VStetup is a probabilistic algorithm executed by a verifier which

takes a security parameter 1l and outputs some verification

parameter VString.2

� AidedVerify is an interactive protocol between a verifier and

a server. The input of the verifier includes VString generated by

VStetup, a message/signature pair (m,s) obtained from a signer

and the public key pk of the signer. As a result of the protocol, the

verifier outputs 1 iff s is a valid signature on m under pk, 0 iff sis

an invalid signature, or t when the server “cheats”. The server

has no local output. We give a more fine-grained definition

regarding VStetup and AidedVerify.

Definition 3. Our definition of algorithms for server-aided ver-

ification are refined as below.

1. VString can be partitioned into private/public verification pa-

rameters ðs;GÞ, i.e., ðs;GÞ )$ .

2. AidedVerify is split into a pair of interacting multi-stage algo-

rithms AidedVerifyc and AidedVerifys, which denotes the

respective part of the AidedVerify protocol executed by a client

and a server.

Concretely, the first stage of AidedVerifyc takes m;s;pk; and

ðs;GÞ as an input, generates some state information state and

a protocol flow fc to the server; and the final stage takes state

together with a protocol flow fsfrom the server, and outputs either 1,

0, or t. On the other hand, AidedVerifys simply takes fc (and pos-

sibly G) as the input and outputs fs.

Definition 4. Correctness of a signature scheme with server-aided

verification requires that for all l˛N, all Param given by

Setup(1l), all (sk,pk) given by KeyGen(), and all VString given

by VStetup(1l), we have Verify(pk,s,m) AidedVerifycðm�; s�;pk;VStringÞ4AidedVerifysðGÞ holds for all m in the message space

and s in the signature space.

2.3. Existential unforgeability

The work of Wu et al. (2008, 2011) gives two security defi-

nition. The first one is an extension of the existential unfor-

geability against adaptive chosen message attack of

a standard signature scheme. Below gives our definition of

unforgeability that will be used throughout this paper. This is

based on the definition of Wu et al. with adjustments to be

elaborated.

Definition 5. A server-aided verification of signatures protocol is

ðt; qs;qvÞ-existentially unforgeable under adaptive chosen message

and verification attacks (EUF-CMVA) if for all probabilistic polyno-

mial time adversary A which runs within time t wins the following

game with negligible probability in a security parameter l.

i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 49

Setup. The challenger C runs the algorithms Setup, KeyGen and

VStetup to obtain the system parameter Param, a key pair (sk,pk) and

the verification private/public parameterVString ¼ ðs;GÞrespectively.The adversaryA is given Param, pk andG,while s and sk arewithheld

fromA.

Query. A can adaptively make at most qs OSign queries and at

most qv OAidedVer queries.

� In an OSign query,A supplies a message m. C puts m into a setMand responses with Sign(sk,m).

� In an OAidedVerquery, A starts by supplying a message/sig-

nature pair (m,s)to C. C then initiates the AidedVerifyprotocol as

a client, and the adversary A responses as the server.

Output. A outputs a message/signature pair (m*,s*) to C. A is

considered to win the game if m�;M and 1)AidedVerifycðm�;s�;pk; ðs;GÞÞ4AidedVerifysðGÞ.

2.3.1. ImplicationA difference from the security definition for standard digital

signatures is the additional OAidedVer oracle. The OAidedVer-

query issued by the adversary A is in the form of a message/

signature pair (m,s), which C responds by initiating the Aided-

Verify protocol as a client according to this (m,s). This ensures

that runningAidedVerify protocol many times would not harm

the client. For example, some secret may be used in the gen-

eration of verification parameter VString, and some partial in-

formationof this secretwhich is useful to fool the clientmaybe

leaked via the AidedVerify protocol.

2.3.2. Difference from the previous definitionsTheOAidedVeroracle is not consideredbyGirault et al. (2005). It

was first considered in the definition of Wu et al. (2008, 2011).

Apart from the adjustments regarding the division of private

and public components of verification parameters, wemake it

clear that thewinningconditionof theadversary isbasedonan

honest execution of the AidedVerify protocol, to capture the

basic unforgeability notion of a SAV scheme. It is weaker than

a definition based on any adversarial execution aided ver-

ification, i.e., 1)AidedVerifycðm�;s�;pk;VStringÞ4AðGÞ. We

choose to leave this to the definition of soundness inDefinition

8 to be described in Section 4.

2.4. Review of pairing and pairing-based signatureschemes

Table 1 e Concise review of selected pairing-basedsignature schemes.

Schemes Setup KeyGen

BLS H0 : f0; 1g�/G pk ¼ gx

ZSS H1 : f0; 1g�/Zp pk ¼ gx

BB H1 : f0; 1g�/Zp ðpkX;pkYÞ ¼ ðgx; gyÞBGLS H0 : f0; 1g�/G pki ¼ gxi

Schemes Sign Verify

BLS s ¼ H0(m)x beðg; sÞ¼? beðpk;H0ðmÞÞZSS s ¼ g1=ðH1ðmÞþxÞ beðg; gÞ¼? beðs; gH1ðmÞ$pkÞBB ðs1; s2Þ ¼ ðg1=H1ðmÞþxþyr; rÞ beðg; gÞ¼? beðs1; gH1ðmÞ$pkX$pk

s2Y Þ

BGLS si ¼ H0ðmiÞxi s ¼Yki¼1

si beðg; sÞ¼? Yki¼1

beðpki;H0ðmiÞÞ

Definition 6. Let G and GTbe two multiplicative cyclic groups both

of prime order p. Suppose g is a generator of G. A mapbe : G�G/GT is a pairing if it satisfies the following properties:

� (Bilinearity.) beðux; vyÞ ¼ beðu;vÞxy for all u;v˛G and x; y˛Zp.

� (Non-degeneracy.) beðg; gÞs1, where 1 is the identity element in

GT.

� (Computability.) beðu;vÞ can be computed in polynomial time for

all u; v˛G. We denote ðG;GT; g; p; beÞ by ParamBDH.

For simplicity of the presentation, this paper uses sym-

metric pairing. It should be noted that in order to instantiate

the schemes efficiently, a certain kind of asymmetric pairing

should be used for fast hashing to the group, short group

representations, etc. One may refer to the respective original

papers (Boneh et al., 2004b, 2003; Zhang et al., 2004; Boneh and

Boyen, 2008; Lu et al., 2006) for details.

Table 1 gives a concise review of a few selected short sig-

nature schemes and an aggregate signature scheme. We omit

ParamBDHwhich is used in all the schemes. All functions

chosen in the Setup are cryptographic hash functions which

map arbitrary bit-strings to G and Zp respectively. These

functions will be modelled as random oracles in the security

proofs of the corresponding schemes, except BB. The private

signing key is a random element x˛RZp; any additional com-

ponent which may be required is denoted by y˛RZp. We use

BLS, ZSS, BB and BGLS to denote the scheme in Boneh et al.

(2004b), Zhang et al. (2004), Boneh and Boyen (2008) and

Boneh et al. (2003) respectively. BB is provably secure in the

standard model.

3. Analysis of the model and the schemes ofWu et al.

3.1. Soundness of aided verification for a random invalidsignature

Definition 7. (Wu et al., 2008, 2011). A server-aided verification

protocol is (t,qv)-sound against adaptive chosen verification attacks

under collusion if for all probabilistic polynomial time adversary Awhich runs within time t wins the following game with negligible

probability in a security parameter l.

Setup. The challenger C runs the algorithms Setup, KeyGen and

VStetup to obtain the system parameter Param, a key pair (sk,pk)

and the verification parameter VString respectively. The adversary

A is given Param and (sk,pk). VStringis withheld from A.

Query. A can adaptively make at most qvOAidedVer queries,

defined as in Definition 5.

Output. A outputs a message m*. C then chooses a random

invalid signature s*as a response to A (i.e., A can see s*). We say Awins the game if we have AidedVerifyðA; Cðm� ;s� ;pk;VStringÞÞ ¼ 1.

3.1.1. ImplicationFor ease of understanding, we first contrast the above defi-

nition from Definition 5. To model the collusion with the

signer, the adversary is equippedwith sk (and hence theOSign

oracle is no longer useful to the adversary).

Fig. 1 e Wu et al.’s basic protocol (protocol I).

i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 750

We make the following three comments on this definition.

1. A random invalid signature s*is chosen by the challenger C.Whether the adversary A succeeds or not depends on this

invalid signature. Perhaps this definition can capture

a special possible case that the transmission error of a sig-

nature results in a uniformly random invalid signature,

however, we believe there is a more direct or intuitive

definition regarding soundness. As suggested in Wu et al.

(2008, 2011), Wu et al. failed to prove their schemes with

respect to a model stronger than this.

2. The challenger C needs to tell the adversary A what is the

invalid signature s* in question. This models the server’s

knowledge of the signature that a verifier holds. Practically,

it is not difficult for the adversary to do so. For example,

immediately after the adversary sent the “signature” to the

client, it can either impersonate the server which is within

the reachable network of the client, or instruct the collud-

ing servers to act accordingly.

3. For Definition 7, it is unclear to us if the condition3

AidedVerifyðA; Cðm� ;s� ;pk;VStringÞÞis suggesting that A is follow-

ing the specification of AidedVerify or not. Since the attack

against Girault et al. (2005) in Wu et al. (2008, 2011) requires

the malicious server to deviate from the protocol specifi-

cation, we assume their securitymodel does not restrict the

behaviour of the server.

3.2. Constructions

Wu et al. (2008, 2011) proposed two protocols, both are for BLS(Boneh et al., 2004b). These protocols are reviewed in Figs. 1

and 2.

In Wu et al. (2008, 2011), there are theorems claiming that

protocol I is existentially unforgeable and protocol II is both

existentially unforgeable and sound.

3.3. Soundness attack of protocol I

We start by showing a weakness of the protocol I (depicted in

Fig. 1) proposed by Wu et al. (2008, 2011) when the signer is

colluding with the server. We remark that it was only claimed

to have soundness when the adversary does not have the

signer’s private key. The attack tries to convince the verifier

that an invalid signature can pass the verification algorithm

under signer U’s public key. The server needs to know the

associated message, which is some information that the

signer can easily share with the colluding server. In addition,

the server needs to communicate with the signer. However,

the server does not need to identify the corresponding sig-

nature the verifier holds. For any messagem, and any random

invalid (with respect tom) signature s˛RG, our attack proceeds

as below.

1. The verifier sends (s,R) to the server as the first flow of the

AidedVerify protocol.

2. The server forwards (s,R) to the signer.

3 This is directly quoted from Wu et al. (2008, 2011) and is notconsistent with our notation used in Definition 2.

3. The signer then computes K1 ¼ beðH0ðmÞ;RÞx and sends it to

the server. Note that Definition 7 requires the adversary to

announce the message m, so it is known to the malicious

server.

4. The server simply forwards K1 to the verifier as the second

flow of the AidedVerify protocol.

It is easy to verify that the attack works by the bilinearity.

The signer has not leaked the signature H0(m)x to anyone

including the server. This matches with the underlying trust

assumption in Girault et al. (2005) and Wu et al. (2008, 2011)

that the server does not know any valid signature of the

message when it tries to use AidedVerify protocol to convince

the verifier.

One may wonder if it is a trivial attack as any adversary

knowing a private key can obviously convince a verifier. A

crucial point to note is that, while the verifier was convinced,

the signature he/she is holding is actually invalid and hence

not binding to the signer at all. It is similar to the security

concern in undeniable signature (e.g., Chaum and Antwerpen,

1989; Laguillaumie and Vergnaud, 2005) or confirmer sig-

nature (e.g., Chaum and Santis, 1994; Chow and Haralambiev,

2011).

The client is only in possession of K1 ¼ beðH0ðmÞx; grÞ, which

can be computed by beðH0ðmÞr; gxÞ without the signer’s private

key x. To implicate the involvement of the signer, one may

imagine that r can be chosen by a fourth party other than the

verifier, the signer and the server, such that the verifier only

knows R ¼ gr but not r. Based on the assumption that

K1 ¼ beðH0ðmÞx; grÞ is difficult to be computed from R ¼ gr, the

public key gx and H0(m), the signer must have “participated”.

Fig. 2 e Wu et al.’s protocol with soundness (protocol II).

i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 51

However, it is just a pathological case. First, a signature should

be publicly verifiable. Second, this fourth party can simply ask

for the signature from the client instead of using this con-

trived way to get convinced. To conclude, K1 cannot be seen as

something that binds the signer to the message.

3.4. Soundness attack of protocol II

Now we present our attack against the second protocol

(depicted in Fig. 2) proposed by Wu et al. (2008, 2011). In this

attack, the “signer” does not need to use his/her private

signing key at all. but the collusion group can convince

a verifier about the validity of signatures on anymessage from

anyone. Simply put, the adversary can perform a universal

forgery. This attack requires the server has some hint about

what is the (hidden) signature that a verifier holds, which is

doable in practice as we have argued before.

In essence, our attack recovers gr since a malicious signer

knows s and a colluding server receives s0 ¼ s$gr from the

client. The client can be easily fooled by (K2,K3) such that K2 ¼K3$beðg; grÞ holds. For any message m, and any random invalid

(with respect tom) signature s˛RG, the details of our attack are

as follow.

1. The client initiates the AidedVerify protocol and sends

s0 ¼ s$gr to the server.

2. Themalicious server, knowing the s in question, recovers gr

by s0/s.

3. The server randomly picks K3˛RGT, computes

K2 ¼ K3$beðg; grÞ, and returns (K2,K3) to the client.

The last step ofAidedVerify to be executed by the client is to

conclude that s is valid if K2 ¼ K3$Kr1. However, s is invalid. The

correctness of our attack thus follows.

3.5. Correctness attack

Reminiscent of the correctness requirement of a signature

scheme, a SAVprotocol should be correct, i.e., a valid signature

must pass theAidedVerifyprotocol. However, nothing regarding

this is said inWuetal. (2008, 2011).Actually, it is easy tosee that

a malicious server can falsely claim that a valid signature is

invalid with overwhelming probability, by returning random

elements to the verifier. There is no mechanism in their pro-

tocols for the verifier to detect such behaviour.

4. Our definition for the security of server-aided verification

We note the following subtleties in the modelling of collusion

which are unclear in the previous work (Wu et al., 2008, 2011;

Wang et al., 2010).

1. AidedVerify (specifically, AidedVerifyS) is honestly executed

(by the server) or not?

The definition used in Wu et al. (2008, 2011), Wang et al.

(2010) seem to be suggesting an honest execution since the

original algorithm is used in the definition. However, the

attack in the respective paper is assuming otherwise, in which

the server simply ignores what is being sent by the client but

just computes something that can fool the client. The com-

putation involved surely does not match with the original

specification of AidedVerify protocol.

2. The secret information used in generating the verification

parameter VString is public or not?

The framework of Wu et al. (2008, 2011), Wang et al. (2010)

simply puts both the secret random coin and any public string

derived from it into the definition of VString. The security

model in Wu et al. (2008, 2011), Wang et al. (2010) withholds

the whole VString from the adversary. On the other hand, the

security proof given in Wang et al. (2010) regarding the secu-

rity of protocol I in Wu et al. (2008, 2011) actually gives the

whole VString, including the random choices made by the

verifier, to the adversary.

We remark that it is unclear to us how the soundness can

hold in the latter setting since the client is only protected by

his/her secret choice in principle.

3. The signature (forgery), which determines the success/

failure of the adversary, is randomly chosen or adversa-

rially chosen?

In Wu et al. (2008, 2011), the forgery s* is a random invalid

signature chosen by the challenger. The possibility that an

adversary may tailor-make a forgery to fool the client is not

modelled. In Wang et al. (2010), the forgery s* is chosen by the

adversary, yet it should be “according” (directly quoted from

Wang et al. (2010)) to a private/public key pair ðskf ;pkf Þ that isdifferent from ðsk;pkÞ. This again restricts the flexibility of the

adversary to tailor-make a forgery.

4. What is the goal of the adversary?

As motivated in Section 1, the adversary may benefit not

only when an invalid signature is falsely-claimed as a valid

one, it may also benefit from claiming a valid signature as

invalid. The security definitions inWu et al. (2008, 2011),Wang

et al. (2010) have no requirement about this.

4.1. Soundness against collusion

We propose a better model of the security of a SAV scheme

against collusion between the server and the signer by

addressing all the above subtleties.

Definition 8. A server-aided verification protocol is (t,qv)-sound

against adaptive chosen verification attacks under collusion if for all

probabilistic polynomial time adversary A which runs within time t

wins the following game with negligible probability in a security

parameter l.

Setup. The challenger C runs the algorithms Setup, KeyGen and

VStetup to obtain the systemparameter Param, a key pair (sk,pk) and

the private/public verification parameterVString ¼ ðs;GÞrespectively.The adversary A is given Param, (sk,pk) and G, but not s.

Query. A can adaptively make at most qvOAidedVer queries, as

defined in Definition 5. A can maintain some state information state

throughout all these queries.

i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 752

Output. With state, A outputs a message m* and a signature s*

to C. Let b0)Verifyðpk;s�;m�Þ and b1)AidedVerifycðm�;s�;pk;VStringÞ4AðstateÞ. We say that A wins if b0sb1^b1st.

An alternative definition can be given by assigning

b1)AidedVerifycðm�;s�;pk;VStringÞ4AidedVerifysðGÞ instead.

It is equivalent to the above definition by the correctness of

a SAV protocol (Definition 4).

4.2. Existential unforgeability

For existential unforgeability, EUF-CMVA (Definition 5) is

sufficient. It is proven in Wu et al. (2008, 2011) that if a SAV

protocol is secure EUF-CMVA, it is also a secure signature

scheme in the usual sense, i.e., existentially unforgeable

against adaptive chosenmessage attack. The reason behind is

easy to see. Suppose the underlying scheme is insecure, any

forgery, which is a valid signature, should pass an honest

execution of AidedVerify by the correctness of a SAV protocol.

So this is also a forgery which breaks EUF-CMVA of SAV, and

hence the SAV protocol cannot be secure.

SinceEUF-CMVAisdefinedbaseduponanhonest execution

ofAidedVerify, it isnotdifficult toderiveastronger resultbelow.

Theorem 1. A (correct) SAV protocol is EUF-CMVA (in the sense of

Definition 5) if and only if it is also a secure signature scheme in the

usual sense, i.e., existentially unforgeable against adaptive chosen

message attack.

Next, we explore a stronger version of EUF-CMVA, such

that the adversary is considered to have produced a valid

forgery if the client get convinced from the AidedVerifyc pro-

tocol, which may run in an adversarial manner not according

to the original protocol specification. With our definition of

soundness, we have the following result.

Theorem 2. If a sound SAV protocol is EUF-CMVA-secure with

respect to an honest execution AidedVerifys, then it is EUF-CMVA-

secure with respect to an adversarial execution of verification

which deviates from AidedVerifys.

Proof. Assume to the contrary that there exists an ad-

versary A which can produce a signature s* such that

1)AidedVerifycðm�;s�;pk;VStringÞ4AðÞ. s is either a valid

signature or an invalid signature. For the former case, it breaks

EUF-CMVA-security. If it is an invalid signature, it breaks the

soundness of the protocol.

5. Our solution

In this section, we present our generic SAV protocol which is

applicable to a large class of pairing-based signatures. As

Girault et al. (2005), we assume for simplicity that the result of

the verification involves checking a predicate at the end.

Verification algorithm in these existing schemes either fits

with this assumption or can be replaced by a corresponding

equivalent algorithm.

The basic idea of our protocol is similar to the generic

protocol of Girault et al. (2005). Let f be a scheme-specific

public function which takes (Param, pk, m, s) as input,

where Param is the systemparameter, pk is the signer’s public

key, mis the message and s is the signature. Their protocol

assumes the predicate is in the form of beðg; gÞ ¼ beðs0; fðParam;pk;m; rÞÞ, where s ¼ (s

0,r), s

0is the group element in s

and r is the other part of the signature, if any. Hence the

application is rather limited, e.g., it cannot be applied on

schemes (Boneh et al., 2004b, 2003) which involve predicates

not based on beðg; gÞ In contrast, the predicate supported by our

scheme is based on the comparisons between elements in GT

or products of them. This generalizes the predicate class of

Girault et al. (2005) and effectively covers nearly all pairing-

based verification algorithms, in particular, all signature

schemes (Boneh et al., 2004a,b, 2003; Boneh and Shacham,

2004; Boyen, 2007; Camenisch et al., 2007; Cha and Cheon,

2003; Chow et al., 2005; Hess et al., 2002; Lu et al., 2006; Shao

et al., 2005; Waters, 2005) studied in Ferrara et al. (2009); and

other pairing-based cryptographic schemes such as authen-

tication for cloud environment (e.g., Chow et al., 2012a,b),

k-times anonymous authentication (e.g., Au et al., 2013), and

ciphertext validity verification in certificateless encryption

(e.g., Chow et al., 2006, 2008) and identity-based encryption

(e.g., Chow, 2010).

5.1. Our generic protocol

We first establish some notations. Let F be a scheme-specific

function which takes (Param, pk,m, s) as input and let F agg be

a function that is specific to an aggregate signature scheme

which takes Param, {pki}, {mi}, s as input. In the basic form, the

output of F or F agg only consists of a set of group-G elements

fCigi˛½1;n�for a positive integer n. A more general definition F0 orF0

agg allows the output to be pairs of a group-G element and

an exponent in Zp, fðCi;viÞgi˛½1;n�. Let V be a predicate in

the form ofQ

ði;jÞ˛XbeðCi;CjÞ¼?Q

ðk;lÞ˛YbeðCk;ClÞ for some subsets

X ;Y4f1;/; ng � f1;/; ng. Similarly, corresponding to the

more general definition F0 or F0agg, let V0 be a predicate in the

form ofQ

ði;jÞ˛XbeðCvii ;C

vjj Þ¼

? Qðk;lÞ˛YbeðCvk

k ;Cvll Þ for some subsets

X ;Y4f1;/; ng � f1;/; ng.We reduce the task of server-aided verification to the task

of “secure” delegation of pairing computation. Let S be

a secure pairing delegation protocol to be described in details.

The framework of our generic protocol is given below.

1. The verifier runs the pre-computation phase of S, possibly

with the knowledge of a (set of) public key.

2. After receiving a (set of) message, a signature and a (set of)

public key, the verifier executes F0 (or F0agg) to obtain

fðCi;viÞgi˛½1;n� for F0 (or F0agg).

In case the predicate used for verification does not involve

fvigi˛½1;n�, F (or F agg) will be executed instead.

3. The verifier engageswith the server in the request-response

phase of S to ask for the values of beðCi;CjÞ, beðCk;ClÞ where

ði; jÞ˛X ; ðk; lÞ˛Y according to the predicate V or V0.4. The verifier runs the verification phase of S to ensure the

pairing are computed correctly.

5. The verifier finally checks if the predicate is true according

to the values obtained in the output phase ofS, which gives

verification result of the signature.

i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 53

5.2. Pairing delegation protocols

The key element of our SAV protocol is pairing delegation S,

which is introduced in Chevallier-Mames et al. (2010). Below

we adopt slightly the definition from Tsang et al. (2007).

Hereinafter, the term “point” refers to a group G element.

Definition 9. A pairing delegation protocol is a two-move inter-

active protocol between a client (delegator) and a server (delegatee)

consists of five phases e pre-computation, request, response, ver-

ification and output.

1. Pre-computation phase: the client performs local computation

taking the system parameter and possibly one of the points A, B as

the input. The system parameter includes the bilinear map con-

text ðG;GT; g; p; beÞ.2. Request phase: the client sends a message to the server based on

the output of the pre-computation phase. In case that one of the

points is not used in the pre-computation phase, The message to

be sent should be further processed with the knowledge of any

points which are not used in the pre-computation phase.

3. Response phase: the server sends a message to the client. The

input of the server includes the system parameter and the mes-

sage from the client in the request phase.

4. Verification phase: the client verifies the message from the server

based on the output of the pre-computation phase. It halts and

output t if the check fails.

5. Output phase: the client outputs a GT element beðA;BÞ and the

server has no local output.

To our knowledge, the studies of pairing delegation pro-

tocols in the literature include Chevallier-Mames et al. (2010),

Kang et al. (2005), Tsang et al. (2007). Only the protocols in

Tsang et al. (2007) consider batch delegation.

Definition 10. (Tsang et al., 2007). Batch pairing delegation pro-

tocol is an interactive protocol between a client (delegator) and

a server (delegatee). The input of the client consists of a set of points

A; fBigi˛½1;n�˛Gfor a positive integer n. As a result of the protocol, the

client outputs a set ofGT elements fbeðA;BiÞgi˛½1;n� and the server has

no local output.

The first reason we turn our attention to the batch pairing

delegation protocol is that, the definitions of soundness in

Chevallier-Mames et al. (2010), Kang et al. (2005) do not specify

whether A and/or B are known to the adversary (themalicious

server in our context). Indeed, none of the protocols in Kang

et al. (2005) is designed for the case which both of the two

input points are public. This is important in SAV since the

input of the verification algorithm is by definition public (also

recall that the adversary in our adversarial model is equipped

with the message, the signature, the system parameters, etc.)

It is simply not suitable for our purpose if the security of the

protocols relies on the fact that the adversary does not know

the input of the predicate. Moreover, it has been suggested

(Tsang et al., 2007) that there exists a delegation protocol that

is secure if and only if A is private from a simplification of an

existing protocol (Kang et al., 2005). Finally, the protocol for

public points in Tsang et al. (2007) is more efficient than that

its counterpart in Chevallier-Mames et al. (2010). For these

reasons, we choose to instantiate S with the protocol PVPC

(an acronym for “Public Variable and Public Constant”) (Tsang

et al., 2007) which we review below.

� Pre-computation. The client first picks a generator Q˛G and

a random exponent rQ˛RZp; then computes ~Q ¼ QrQ andbeðA; ~QÞ ¼ beðA;QÞrQ .

� Request. The client sends to the server hA;B0 ¼ ~Q$Qn

i¼1Bbii ;

B1;.;Bni, where bi˛RZp.

� Response.Theserver sends ha0;a1;.;ani,whereai ¼ beðA;BiÞ.� Output. The client verifies if ai˛GT for i ¼ 0 to n and beðA; ~QÞ,Qn

i¼1abii ¼ a0 all hold. If so, outputs {ai}, t otherwise.

Limitations. A more flexible type of pairing delegation pro-

tocol is PVPV (an acronym for “Public Variable and Public

Variable”) which is not available to the best of our knowledge.

The other limitation is that the knowledge of the point A is

required in the above PVPC protocol. We remark that there

exists non-batch PVPC protocol which does not require the

knowledge of the constant A in the precomputation stage

(Chevallier-Mames et al., 2010).

5.3. Our construction of SAV protocol for shortsignatures

Following our generic protocol, we define function FBLSand predicate VBLS to build a SAV protocol for Bone-

heLynneShacham signature (Boneh et al., 2004b), with the

notation in Table 1.

� Function FBLS : ðParam;pk;m;sÞ1ðg; s;pk;H0ðmÞÞ.� Predicate VBLS : beðC1;C2Þ¼? beðC3;C4Þ with C1 ¼ g, C2 ¼ s,

C3 ¼ pk, C4 ¼ H0(m).

The verifier engages in the pairing delegation protocol S

with the server and obtains the two pairing values a0 ¼ beðg;sÞand a1 ¼ beðpk;H0ðmÞÞ. Finally, the verifier checks if the predi-

cate is true, that is, whether a0¼? a1.

Since the pairing delegation protocol S we employ is

capable of delegating pairing computations in batch, the

verifier can offload the verification of many signatures from

the same signer to further reduce the computation overhead.

Specifically, the verifier can delegate the computation of fa0i ¼beðg;siÞg and fa1i ¼ beðpk;H0ðmiÞÞg in batch.

Unfortunately, using a PVPC protocol instead of a PVPV

protocol, the pairing of beðC1;C2Þ and beðC3;C4Þ cannot be

batched since only C1 ¼ g is a constant.

Similarly, functions FZSS , FBB and predicates VZSS , VBB for

ZSS (Zhang et al., 2004), and BoneheBoyen (Boneh and Boyen,

2008) short signatures are described below.

� Function FZSS : ðParam;pk;m;sÞ1ðs; gH1ðmÞ$pk; g; gÞ.� Predicate VZSS : beðC1;C2Þ¼? beðC3;C4Þwith C1 ¼ s, C2 ¼ gH1

(m)$pk,

C3 ¼ g, C4 ¼ g.

� Function FBB : ðParam; ðpkX;pkYÞ;m; ðs1;s2ÞÞ1�s1; g

H1ðmÞ$pkX$pks2Y ; g; g

�

.

� Predicate VBB: beðC1;C2Þ¼? beðC3;C4Þ with C1 ¼ s1,

C2 ¼ gH1ðmÞ$pkX$pks2Y , C3 ¼ g, C4 ¼ g.

Table 2 e Complexity of the PVPC pairing delegationprotocol.

Communication overhead Overhead at the server

1 G element 1 pairing evaluation

Online Computation at the Client

1(n þ 1)-multi-EXP in G and 1(n þ 1)-multi-EXP in GT

i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 754

In bothZSS and BB, we have the evaluation of beðg; gÞwhich

is a constant independent of the signer’s public key or the

signature. The client can simply store it without re-computing

it every time. On the other hand, due to the lack of a PVPV

batch protocol, the degree of batching is limited. We can

define functions F0ZSS , F0

BB and predicates V0ZSS , V0

BB for ZSS(Zhang et al., 2004), and BoneheBoyen (Boneh and Boyen,

2008) as below. Note that we omit the exponent vi when it is

equal to 1 for brevity.

� Function F0ZSS : ðParam;pk;m;sÞ1ððg;H1ðmÞÞ;s;pk;s; g; gÞ.

� Predicate V0ZSS : beðCv1

1 ;C2ÞbeðC3;C4Þ¼? beðC5;C6Þ with C1 ¼ g,

v1 ¼ H1(m), C2 ¼ s, C3 ¼ pk, C4 ¼ s, C5 ¼ g, C6 ¼ g.

� Function F0BB : ðParam; ðpkX;pkYÞ;m; ðs1;s2ÞÞ1ððg;H1

ðmÞÞ;s1;pkX;s1;�pkY ;s2

�; s1; g; g

�.

� Predicate V0BB: beðCv1

1 ;C2ÞbeðC3;C4ÞbeðCv55 ;C6Þ¼? beðC7;C8Þ with

C1 ¼ g, v1 ¼ H1(m), C2 ¼ s1, C3 ¼ pkX, C4 ¼ s1, C5 ¼ pkY, v5 ¼ s2,

C6 ¼ s1, C7 ¼ g, C8 ¼ g.

However, verifying n signatures from the same signer

produced by ZSS or BB will require 2 or 3 times of pairing

computations (at the server side) respectively than the normal

approach. One may resort to non-batch protocol instead.

Comparison with Batch Signature Verification. The concepts of

using batch pairing delegation for verifying many signatures

and batch signature verification look almost the same at the

first glance. However, there are subtle differences. Batch ver-

ification often just returns a single bit which denotes whether

all the signatures are valid or there exists at least one which is

invalid. Extrameasures are thus needed to identify the invalid

signature(s) in batch verification. On the other hand, the

pairing values are not aggregated together in batch pairing

delegation, the client can get each of the pairing values. In

other words, the client is able to verify each of the signature

by simple equality checks (and possibly with exponentiations

in GT).

With respect to concrete instantiations available today, for

the case of batching the signatures from different n signers,

(n þ 1) pairing computations are needed by the batch verifier

for BLS proposed in Ferrara et al. (2009). In our approach, these

pairings are delegated, and the client only requires to do OðnÞexponentiations. In the batch verifier approach (Ferrara et al.,

2009), exponents used in verification are randomly chosen but

small, small random exponents may also be used in the batch

pairing delegation protocol (Tsang et al., 2007) since secrecy of

the points are not a concern here. Details on further opti-

mization can be found in Section 5.5.

Finally, we remark that these two approaches can be used

together, i.e., first identify what are the required pairing

computations in a batch verifier, then these computations can

still be delegated by using a pairing delegation protocol.

However, we are not aware of any batch verifier for ZSS or BB.

5.4. Our construction of SAV protocol for aggregatesignatures

For an aggregated signature s, a list of messages fmigni¼1 and

the public key list of the corresponding signers fpkigni¼1, we

define function F aggand predicate V to build a SAV protocol for

Boneh et al.’s aggregate signature (Boneh et al., 2003), fol-

lowing our generic protocol.

� Function

F agg : ðParam;pk1;.;pkn;m1;.;mn;sÞ1ðg; s;pk1;H0ðm1Þ;.;

pkn;H0ðmnÞÞ.� Predicate Vagg: beðC1;C2Þ¼?

Qni¼1beðC2iþ1;C2iþ2Þ with C1 ¼ g,

C2 ¼ s, C2iþ1 ¼ pki, C2iþ2 ¼ H0(mi) for i ¼ 1 to n.

The verifier engages in the pairing delegation protocol S

with the server and obtains the pairing values a0 ¼ beðg; sÞ andai ¼ beðpki;H0ðmiÞÞ for i¼ 1 to n. Finally, the verifier checks if the

predicate is true, that is, whether a0¼?Qn

i¼1ai. Again, we

remark that we are not aware of any protocol of type PVPV and

hence the delegation of these pairing computations cannot be

batched together. On the other hand, computation overhead

can be reduced further by batch delegation of pairing values

for the same signer.

5.5. Efficiency analysis

Complexity of the PVPC delegation protocol for n pairings is

summarized in Table 2. The single pairing value in the pre-

computation phase can be computed by a trusted party and

preloaded to the client. For online computation cost, the client

needs to compute an (n þ 1)-element multi-exponentiation in

G (a computation of the form ax11 /axnþ1

nþ1 ) in the request stage. In

the output stage, the client needs to compute an (n þ 1)-ele-

ment multi-exponentiation in GT.

We believe that these 2 (n þ 1)-element multi-

exponentiations are quite close to the minimum computa-

tion onemust be done. Exponentiation is the basic operation in

discrete-logarithm-based cryptography. When we want to

offer some “security” regarding n elements, intuitivelyweneed

n exponentiations to pre-process them and correspondingly

we need another n exponentiations to verify the results.

Moreover, note that n-element multi-exponentiation can

be performed significantly more efficiently than n different

simple exponentiations. According to the windows methods

in Dimitrov et al. (2000); Moller et al. (2001); Menezes et al.

(2001); Avanzi (2002), For simplicity, we assume multi-

plication and squaring have the same complexity, and we use

tm to denote the computational cost of one modular multi-

plication in group GT. Let [ ¼ jpj, the bit-length of the prime p

which is the order of the group GT. Setting [ ¼ 160 and the

window size w to be 1, the average costs of one exponentia-

tion, 2-element multi-exponentiation and 4-element multi-

exponentiation in GT are about t1xp ¼ 1:488[tm,

t2xp ¼ 1:739[tm, and t4xp ¼ 1:863[tm respectively. For n-element

multi-exponentiation, its cost increases with n and converges

Table 3e The speedup gained by using the PVPC protocolover computing the 100 pairings locally using differenttypes of curves as defined in the PBC library.

Curve Type-A Type-A1 Type-D225

Speedup 2.20 3.23 1.48

Curve Type-E Type-F Type-G

Speedup 3.60 6.73 2.04

i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 55

to tnxp ¼ 1:988[tm when n reaches 15. We obtain these figures

from Avanzi (2002) [Theorem 3.4].

For communication, instead of sending (n þ 1)elements,

only 1 additional element in G (namely, B0) is sent. From the

server to the client, only 1 additional GT element is returned.

Again, we believe that these 2 additional elements are quite

close to the minimum communication overhead required by

a secure SAV protocol, and are also quite affordable by the

transmission power of a mobile device.

For the computation at the server side, instead of com-

puting n pairings as usual, it only requires to compute (nþ 1) of

them instead. The computational overhead at the server is

just 1 pairing computation, which is quite minimal. At the

client side, it has been shown (Tsang et al., 2007) that using

PVPC delegation protocol to delegate the computation of n

pairings, instead of evaluating them locally, is more efficient

for all six types of curves defined in the PBC Library.4 The re-

sults are quoted in Table 3.

Further Optimization. There are various standard opti-

mization tricks which can be applied. One trick we have

applied is the fact that n-elementmulti-exponentiation can be

performed significantly more efficiently than n different sim-

ple exponentiations. One may also consider using small ex-

ponents {bi} in the PVPC protocol. However, at least one of

them should be chosen from a large domain. Otherwise an

adversary may guess the hidden ~Q correctly with non-

negligible probability and hence break the protocol.

5.6. Security analysis

Security Properties of Pairing Delegation. Two security re-

quirements of pairing delegation protocol include complete-

ness and correctness. Informally, completeness means that

theclient canobtain thecorrect valuesafter interactingwithan

honest server; andcorrectnessmeans that the client candetect

(with high probability) when the computation results returned

by the server consists of a wrong value, nomatter whether the

error is introduced deliberately or not. To fit with the wording

in the SAVparadigm,we call the latter requirement soundness

in this paper. The formal definitions are given in B.

Regarding the use of pairing delegation protocols in con-

structing SAV protocols, one may worry that they seem to be

considering different scenarios and may not be compatible.

Specifically, pairing delegation is for two-party and SAV is

executed in a three-party environment. There is a possible

security concern that the signer (who sends messages to the

verifier) and the server (the delegatee in the delegation pro-

tocol) might collude to deceive the verifier (the client, the

delegator). We stress that, the security properties of pairing

delegation protocol hold for all possible input, i.e., the mes-

sage sent from the signer to the verifier. In particular, it covers

the case where the messages the delegator received might be

manipulated by the delegatee.

Security of Our Protocol. Existential unforgeability follows

from the completeness of S and the unforgeability of the

underlying signature scheme with the help of Theorem 1. In

the class of signature schemes we consider, whether a forgery

is valid or not is determined by a predicate which only

4 http://crypto.stanford.edu/pbc.

involves comparison of two products of different pairing

values. If a forgery passes the verification algorithm of the

underlying signature, i.e., it satisfies the predicate determined

by the verification algorithm, by the completeness of S, the

delegated predicatewill evaluate to the same value, and hence

the forgery will pass (an honest execution of) AidedVerify.

Soundness of our protocol follows from the soundness of

S. If the delegated evaluation of the predicate and its direct

evaluation mismatch, there must exist one wrongly-

computed pairing value that is undetected by the client,

which breaks the soundness of S. This can always be identi-

fied by simply recomputing all the pairings involved which

can be done in a polynomial time. This completes our reduc-

tionist proof. A more detailed proof is presented in A.

6. Conclusion

Nowadays, there are many computation devices with rela-

tively limited power, e.g., smart card, RFID tag, but need to

perform cryptographic operations which are both time and

power consuming. Server-aided computation protocols are

particularly useful since these devices often have access to

a more powerful device which can act as the server.

However, we found that the existing security models are

unsatisfactory, and two existing schemes are insecure against

a realistic form of attack which involves a collusion of a signer

and the server. We propose a new security model to capture

this attack and discuss the intuition behind variousmodelling

issues. Finally, we provide a generic construction of SAV

which is applicable on a wide class of pairing-based crypto-

systems. In particular, various short signatures schemes

(Boneh et al., 2004a,b, 2003; Boneh and Shacham, 2004; Boyen,

2007; Camenisch et al., 2007; Cha and Cheon, 2003; Chow et al.,

2005; Hess et al., 2002; Lu et al., 2006; Shao et al., 2005; Waters,

2005); and many other pairing-based cryptographic schemes

(Chow et al., 2006; Chow et al., 2008, 2012a,b; Chow, 2010) are

covered by our construction.

Finally, we note that the existing batch pairing delegation

protocol only supports the pairing of a constant with a list of

points. Considering the wide applicability of pairing in cryp-

tography, it is a very interesting problem to devise a batch

pairing delegation protocol which computes arbitrary pairings

of two lists of variable points.

Appendix A. Security analysis of our genericconstruction of SAV protocol

Let Sig be a pairing-based signature secure against existential

forgery under adaptive chosen message attack (Goldwasser

5 We remark that there is another requirement in Tsang et al.(2007) regarding secrecy of the point based on the notion ofsimulatability. This is not relevant in our discussion and hence isomitted.

i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 756

et al., 1998) withF : ðParam;pk;m; sÞ1fCigi˛½1;n� as the scheme-

specific function and V be the predicateQði;jÞ˛X beðCi;CjÞ¼?

Qðk;lÞ˛YbeðCk;ClÞ for some subsets X ;Y4

f1;/; ng � f1;/; ng as the verification equation of Sig as dis-

cussed in Section 5.

We construct a simulator S that breaks the completeness

of the delegation of pairing computation S or the EUF-CMA

security of Sig (Goldwasser et al., 1998) if there exists

an adversary A that can win in the game described in

Definition 5.

Proof.. Setup: S receives pk as the challenge public key of Sig.

VString is an empty string in our choice of pairing delegation

protocol as the verification parameter is included in pk. S gives

pk to A.

Query: For each OSign query with input m from A, S re-

sponds with the answer from it signing oracle. S addsm to the

set M. For each OAidedVer query with input (m,s), S follows

the the specification of S as server honestly.

Output: Finally, A outputs a message/signature pair (m*,s*)

such that m*;M. S invokes F to obtain {Ci}and verifies the

signaturewith predicate V. If s* is a valid signature onmessage

m*, S returns (m*,s*) as the forgery to the original signature

scheme Sig.

On the other hand, suppose (m*,s*) is not a valid signature,

there exists indexes i,j,k,l and a pairing comparison in predi-

cate V such that beðCi;CjÞsbeðCk;ClÞ and that

SðCi;CjÞ ¼ SðCk;ClÞ. Here SðA;BÞ denotes the output of the

client after interacting with the server in the pairing-

delegation protocol S for the computation of pairing of

points A and B. In this case, S has successfully broken the

completeness of S.

Likewise, we construct a simulator S that breaks the cor-

rectness of the delegation of pairing computation Sif there

exists an adversary A that can win in the game described in

Definition 8.

Proof. Setup: S generates the key pairs (pk,sk) of Sig. VString

is an empty string in our choice of pairing delegation protocol

as the verification parameter is included in pk. S gives (pk,sk)

to A.

Query: For each OAidedVer query with input (m,s), S fol-

lows the the specification of S as server honestly.

Output: Finally, A outputs a message/signature pair (m*,s*)

such that m�;M. S invokes F to obtain {Ci}and verifies the

signature with predicate V.If s* is a valid signature on message m*, that is, b0 ¼ 1. This

implies the set {Ci}satisfies the predicate V. Thus, A wins the

game if and only if there exists indexes i,j,k,land a pairing

comparison in predicate V such that beðCi;CjÞ ¼ beðCk;ClÞ and

that SðCi;CjÞsSðCk;ClÞOn the other hand, suppose (m*,s*) is not a valid sig-

nature, that is, b0 ¼ 0. This implies the set {Ci} does not

satisfy the predicate V. Thus, A wins the game if and only if

there exists indexes i,j,k,l and a pairing comparison in

predicate V such that beðCi;CjÞsbeðCk;ClÞ and that

SðCi;CjÞ ¼ SðCk;ClÞ. In both cases, S has successfully broken

the correctness of S.

Appendix B. Secure (batch) pairing delegation

The security requirements of batch delegation protocols for

asymmetric pairings (Tsang et al., 2007), in which one of the

points is a constant, are reviewed as follow.5 Let A˛G1 be

the constant point, and B1, ., Bn˛G2 be the variable points to

be paired up with A. The protocol’s goal is to compute

fbeðA;BiÞ : i˛f1;.;ngg.Let R and ε be two probabilistic polynomial time (PPT) al-

gorithms modelling the Delegator and the Delegatee respec-

tively. Finally, BDHðlÞ denotes an instance generator for

groups G1;G2;GT with prime orders roughly equal to 2l and

a pairing function be : G1 �G2/GT. Desired properties of

a batch delegation protocols for pairings include:

� Completeness. The Delegator R obtains fbeðA;BiÞ : i˛f1;.;nggafter interacting with an honest Delegatee ε.

� Correctness. The Delegator R can detect (with non-

negligible probability) when the Delegatee ε is cheating

(i.e. the final result leads to a wrong value).

Gamecorrε

ðlÞParam)ðG1;G2;GT; eÞ)R BDHðlÞðt1; t2;.; tnÞ)R RðParam;A;B1;.;BnÞ4EðParam;A;B1;.;BnÞ;ifðdi˛f1;.;ng; ðtisbeðA;BiÞÞÞreturn 0; else return1;

The protocol is correct if the probability thatGamecorrE ðlÞ ¼ 1,

for all Param generated by BDH, for all (A,B1,.,Bn), and for all

PPT adversary ε(that may deviate from the protocol in arbi-

trary way), over the random coins of all algorithms, is non-

negligible in l.

This intuition behind this game is that, for any cheating

Delegatee ε and for any (A,{Bi}:i˛{1,.,n}}), the Delegator Routputs either fbeðA;BiÞ : i˛f1;.;nggor t, denoting invalid,

exceptwith negligible probability, even ðA; fBig : i˛f1;.;nggÞisgiven to the cheating Delegatee ε.

r e f e r e n c e s

Au MH, Susilo W, Mu Y, Chow SSM. Constant-size dynamick-times anonymous authentication. IEEE Syst J 2013.

Avanzi RM. On multi-exponentiation in cryptography. CryptologyePrint Archive, Report 2002/154; 2002.

Bellare M, Garay JA, Rabin T. Fast batch verification for modularexponentiation and digital signatures. In: Nyberg K, editor.Eurocrypt. Lecture Notes in Computer Science, vol. 1403.Springer; 1998. p. 236e50.

Boneh D, Boyen X. Short signatures without random oracles andthe SDH assumption in bilinear groups. J Cryptol 2008;21(2):149e77.

Boneh D, Boyen X, Shacham H. Short group signatures. In:Franklin MK, editor. CRYPTO. Lecture Notes in ComputerScience, vol. 3152. Springer; 2004. p. 41e55.

i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 57

Boneh D, Franklin MK. Identity-based encryption from the Weilpairing. SIAM J Comput 2003;32(3):586e615.

Boneh D, Gentry C, Lynn B, Shacham H. Aggregate and verifiablyencrypted signatures from bilinear maps. In: Biham E, editor.Eurocrypt. Lecture Notes in Computer Science, vol. 2656.Springer; 2003. p. 416e32.

Boneh D, Gentry C, Waters B. Collusion resistant broadcastencryption with short ciphertexts and private keys. In:Shoup V, editor. CRYPTO. Lecture Notes in Computer Science,vol. 3621. Springer; 2005. p. 258e75.

Boneh D, Lynn B, Shacham H. Short signatures from the Weilpairing. J Cryptol 2004b;17(4):297e319.

Boneh D, Shacham H. Group signatures with verifier-localrevocation. In: Atluri V, Pfitzmann B, McDaniel PD, editors.ACM conference on computer and communications security.ACM; 2004. p. 168e77.

Boyen X. Mesh signatures. In: Naor M, editor. EUROCRYPT.Lecture Notes in Computer Science, vol. 4515. Springer; 2007.p. 210e27.

Camenisch J, Hohenberger S, Pedersen MØ. Batch verification ofshort signatures. In: Naor M, editor. EUROCRYPT. Lecture Notesin Computer Science, vol. 4515. Springer; 2007. p. 246e63.

Camenisch J, Lysyanskaya A. Signature schemes and anonymouscredentials from bilinear maps. In: Franklin MK, editor.CRYPTO. Lecture Notes in Computer Science, vol. 3152.Springer; 2004. p. 56e72.

Cha JC, Cheon JH. An identity-based signature from Gap Diffie-Hellman groups. In: Desmedt Y, editor. Public keycryptography. Lecture Notes in Computer Science, vol. 2567.Springer; 2003. p. 18e30.

Chaum D. Designated confirmer signatures. In: Santis AD, editor.Eurocrypt. Lecture Notes in Computer Science, vol. 950.Springer; 1994. p. 86e91.

Chaum D, Antwerpen HV. Undeniable signatures. In: Brassard G,editor. Crypto. Lecture Notes in Computer Science, vol. 435.Springer; 1989. p. 212e6.

Chevallier-Mames B, Coron J-S, McCullagh N, Naccache D,Scott M. Secure delegation of elliptic-curve pairing. In:Gollmann D, Lanet J-L, Iguchi-Cartigny J, editors. CARDIS.Lecture Notes in Computer Science, vol. 6035. Springer. p.24e35. Also available at: http://eprint.iacr.org/2005/150; 2010.

Chow SSM. New privacy-preserving architectures for identity-/attribute-based encryption. Ph.D. thesis, New York University;2010.

Chow SSM, Boyd C, Nieto JMG. Security-mediated certificatelesscryptography. In: Yung M, Dodis Y, Kiayias A, Malkin T,editors. Public key cryptography. Lecture Notes in ComputerScience, vol. 3958. Springer; 2006. p. 508e24.

Chow SSM, Chu C-K, Huang X, Zhou J, Deng RH. Dynamic securecloud storage with provenance. In: Naccache D, editor.Cryptography and security. Lecture Notes in ComputerScience, vol. 6805. Springer; 2012a. p. 442e64.

Chow SSM, Haralambiev K. Non-interactive confirmer signatures.In: Kiayias A, editor. CT-RSA. Lecture Notes in ComputerScience, vol. 6558. Springer; 2011. p. 49e64.

Chow SSM, He YJ, Hui LCK, Yiu SM. SPICE e Simple Privacy-Preserving Identity-Management for Cloud Environment. In:Bao F, Samarati P, Zhou J, editors. ACNS. Lecture Notes inComputer Science, vol. 7341. Springer; 2012b. p. 526e43.

Chow SSM, Liu JK, Zhou J. Identity-based online/offline keyencapsulation and encryption. In: Sandhu R, Wong DS,Cheung B, Hui LCK, editors. ASIACCS. ACM; 2011. p. 52e60.

Chow SSM, Roth V, Rieffel EG. General certificateless encryptionand timed-release encryption. In: Ostrovsky R, Prisco RD,Visconti I, editors. SCN. Lecture Notes in Computer Science,vol. 5229. Springer; 2008. p. 126e43.

Chow SSM, Yiu S-M, Hui LCK. Efficient identity based ringsignature. In: Ioannidis J, Keromytis AD, Yung M, editors.

ACNS. Lecture Notes in Computer Science, vol. 3531; 2005. p.499e512.

Chu C-K, Zhu WT, Chow SSM, Zhou J, Deng RH. Secure mobilesubscription of sensor-encrypted data. In: Sandhu R,Wong DS, Cheung B, Hui LCK, editors. ASIACCS. ACM; 2011.p. 228e37.

Delerablee C. Identity-based broadcast encryption with constantsize Ciphertexts and private keys. In: Kurosawa K, editor.ASIACRYPT. Lecture Notes in Computer Science, vol. 4833.Springer; 2007. p. 200e15.

Dimitrov VS, Jullien GA, Miller WC. Complexity and fastalgorithms for multiexponentiations. IEEE Trans Comput 2000;49(2):141e7.

Ferrara AL, Green M, Hohenberger S, Pedersen MØ. Practical shortsignature batch verification. In: Fischlin M, editor. CT-RSA.Lecture Notes in Computer Science, vol. 5473. Springer; 2009.p. 309e24.

Girault M, Lefranc D. Server-aided verification: theory andpractice. In: Roy BK, editor. ASIACRYPT. Lecture Notes inComputer Science, vol. 3788. Springer; 2005. p. 605e23.

Goldwasser S, Micali S, Rivest R. A digital signature schemesecure against adaptive chosen-message attacks. SIAM JComput 1998;17(2):281e308.

Hess F. Efficient identity based signature schemes based onpairings. In: Nyberg K, Heys HM, editors. Selected areas incryptography. Lecture Notes in Computer Science, vol. 2595.Springer; 2002. p. 310e24.

Kang BG, Lee MS, Park JH. Efficient delegation of pairingcomputation. Cryptology ePrint Archive, Report 2005/259;2005.

Laguillaumie F, Vergnaud D. Short undeniable signatures withoutrandom oracles: the missing link. In: Maitra S, Madhavan CEV,Venkatesan R, editors. Indocrypt. Lecture Notes in ComputerScience, vol. 3797. Springer; 2005. p. 283e96.

Lu S, Ostrovsky R, Sahai A, Shacham H, Waters B. Sequentialaggregate signatures and multisignatures without randomoracles. In: Vaudenay S, editor. EUROCRYPT. Lecture Notes inComputer Science, vol. 4004. Springer; 2006. p. 465e85.

Menezes AJ, van Oorschot PC, Vanstone SA. Handbook of appliedcryptography. CRC Press; 2001.

Moller B. Algorithms for multi-exponentiation. In: Vaudenay S,Youssef AM, editors. Selected areas in cryptography. LectureNotes in Computer Science, vol. 2259. Springer; 2001. p. 165e80.

Sahai A, Waters B. Fuzzy identity-based encryption. In: Cramer R,editor. EUROCRYPT. Lecture Notes in Computer Science,vol. 3494. Springer; 2005. p. 457e73.

Shao Z. Enhanced aggregate signatures from pairings. In: Feng D,Lin D, Yung M, editors. CISC. Lecture Notes in ComputerScience, vol. 3822. Springer; 2005. p. 140e9.

Tsang PP, Chow SSM, Smith SW. Batch pairing delegation. In:Miyaji A, Kikuchi H, Rannenberg K, editors. IWSEC. LectureNotes in Computer Science, vol. 4752. Springer; 2007. p. 74e90.

Wang Z, Wang L, Yang Y, Hu Z. Comment on Wu et al.’s server-aided verification signature schemes. Int J Netw Security 2010;10(2):158e60.

Waters B. Efficient identity-based encryption without randomoracles. In: Cramer R, editor. EUROCRYPT. Lecture Notes inComputer Science, vol. 3494. Springer; 2005. p. 114e27.

Wu W, Mu Y, Susilo W, Huang X. Server-aided verificationsignatures: definitions and new constructions. In: Baek J,Bao F, Chen K, Lai X, editors. ProvSec. Lecture Notes inComputer Science, vol. 5324. Springer; 2008. p. 141e55.

Wu W, Mu Y, Susilo W, Huang X. Provably secure server-aidedverification signatures. Comput Math Appl 2011;61(7):1705e23.

Zhang F, Safavi-Naini R, Susilo W. An efficient signature schemefrom bilinear pairings and its applications. In: Bao F, Deng RH,Zhou J, editors. Public key cryptography. Lecture Notes inComputer Science, vol. 2947. Springer; 2004. p. 277e90.